Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
B
v1.0.0AI video creation and editing — generate videos from text descriptions, edit with background music, sound effects, titles, transitions, and export finished M...
⭐ 0· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (AI video creation & editing) match the runtime instructions: creating sessions, uploading, SSE messaging, exporting/rendering, and using a NEMO_TOKEN to call the service. Declared primary credential (NEMO_TOKEN) is appropriate for the stated purpose.
Instruction Scope
Instructions require persisting a client_id to ~/.config/nemovideo/client_id (UUID only) which is reasonable, but they also instruct constructing a browser link that places the bearer token (NEMO_TOKEN) directly into a query parameter (workspace/claim?token=<NEMO_TOKEN>&...). Exposing tokens in URLs risks leakage via browser history, referer headers, logs, and shared links. The skill also mandates custom headers including X-Skill-Platform derived from the skill file path (SKILL_SOURCE), which can leak local install path/platform info to the remote API. These behaviors exceed what's strictly necessary for video creation and raise privacy/leakage risks.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk-write/execute risk; nothing is downloaded or installed by the skill itself.
Credentials
Only NEMO_TOKEN is declared as the primary credential and other env vars are optional (API URL, WEB URL, client id). That is proportionate to a third-party API integration. However, the instructions imply saving and reusing the token and client id across sessions and transmitting them in headers and URLs; the token-in-URL pattern is the primary concern for credential exposure.
Persistence & Privilege
The skill writes a small client_id to ~/.config/nemovideo/client_id (UUID only) to avoid frequent anonymous token creation; this is a limited, self-contained persistence. The skill is not marked 'always:true' and does not request system-wide config changes beyond its own config path.
What to consider before installing
This skill appears to be a legitimate NemoVideo integration, but be cautious about token handling: the runtime instructions put your bearer token (NEMO_TOKEN) into a browser URL (workspace/claim?token=...), which can leak the token via browser history, referer headers, server logs, or if you share the link. Consider these mitigations before installing: 1) Use a disposable or limited-scope API token for this skill (revoke it if you suspect leakage). 2) Prefer to avoid clicking or sharing the generated claim URL on shared/public machines; ask the skill to provide a method that doesn't embed tokens in links. 3) Confirm with NemoVideo whether putting tokens in query strings is required or if a short-lived session link can be used instead. 4) If you are concerned about exposing local installation metadata, avoid setting SKILL_SOURCE env to a value that reveals sensitive paths. If you want a firmer recommendation, provide the full SKILL.md and any additional runtime code or tell me whether the backend enforces tokens in URLs — that would raise my confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk97d8rkgx5sm9b3v4nw7snjqed83b4v0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
Primary envNEMO_TOKEN